#!/bin/bash
#description: configure private CA and application server self-signed certificate
#date: 2018/03/21
#author: louis

#定义变量
CDIR="/etc/pki/CA"
CNF="/etc/pki/tls/openssl.cnf"
CAKEY="cakey.pem"
CACERT="cacert.pem"
EMAIL="851628816@qq.com"
CANAME="ca.51yuki.cn"
IP="$(ifconfig eth0|grep inet|grep -v inet6|awk '{print $2}')"
#安装软件
yum -y install expect 
#备份openssl.cnf
cd /etc/pki/tls/ && [ ! -f openssl.cnf.ori ] && cp openssl.cnf{,.ori}
function create_ca(){
	#创建所需要的文件
	cd $CDIR && [ ! -f index.txt ] && touch index.txt
	[ ! -f serial ] && echo 01 > serial
	#创建私钥
	(umask 077; openssl genrsa -out ${CDIR}/private/${CAKEY} 4096)
	#创建CA公钥
	        /usr/bin/expect <<EOF
                spawn openssl req -new -x509 -key /etc/pki/CA/private/${CAKEY} -days 3650 -out ${CDIR}/${CACERT}
                expect "Country" {send "CN\r"} 
                expect "State" {send "Shanghai\r"}
                expect "Locality" {send "Shanghai\r"}
                expect "Organization" {send "lishifeng\r"}
                expect "Organizational" {send "Als\r"}
                expect "Common Name" {send "${CANAME}\r"}
                expect "Email Address" {send "${EMAIL}\r"}
                expect eof
EOF
    #以上$CAKEY和$CACERT文件，$CAKEY为CA证书的私钥
}
function apply_cert(){
    read -p "please input server domain:" domain
    #生成私钥
    cd $CDIR 
   (umask 077; openssl genrsa -out ${CDIR}/private/${domain}.key 2048)
   #生成证书签署请求
   /usr/bin/expect <<EOF
   spawn openssl req -new -key ${CDIR}/private/${domain}.key  -days 365 -out ${CDIR}/${domain}.csr
	        expect "Country" {send "CN\r"} 
                expect "State" {send "Shanghai\r"}
                expect "Locality" {send "Shanghai\r"}
                expect "Organization" {send "lishifeng\r"}
                expect "Organizational" {send "Als\r"}
                expect "Common Name" {send "${domain}\r"}
                expect "Email Address" {send "${EMAIL}\r"}
		expect "A challenge" {send "\r"}
		expect "An optional company " {send "\r"}
		expect eof
EOF
   #然后把csr请求，发送给CA 
	password="Lsf@8816"
	cd $CDIR 
	/usr/bin/expect <<EOF
	spawn  scp ${CDIR}/${domain}.csr root@$IP:/tmp
   	expect "*assword:" { send "$password\n"}  
	expect eof
EOF
	/usr/bin/expect <<EOF
	spawn openssl ca -in /tmp/${domain}.csr -out ${CDIR}/certs/${domain}.crt -days 365
	expect "Sign*" {send "y\r"}
	expect "1 out of 1 certificate*" {send "y\r"}
	expect eof
EOF
#此时证书申请完毕，公钥存放在${CDIR}/certs 私钥存放在${CDIR}/private ,然后把这个拷贝到对应目录下，配置好nginx或http等
}
function revoke_cert(){
       read -p "please input revoke domain:" domain
        openssl ca -revoke ${CDIR}/certs/${domain}.crt -cert ${CDIR}/${CACERT} -keyfile ${CDIR}/private/${CAKEY}
        cd $CDIR
	[ ! -f crlnumber ] && echo 01 > crlnumber
	#更新证书吊销列表
	openssl ca -gencrl -out ${CDIR}/crl/crl.pem
        if [ "$(cat index.txt|grep "$domain"|awk '{print $1}')" == "R" ];then
                echo "revoke $domain succfull"
        else
                echo "revoke $domain fail"
        fi

}
cat <<EOF
-----------------------------------------------------------------
                Configure the self-signed certificate
----------------------------------------------------------------
| DATE                   :  $DATE
| IP                     :  $IPADDR
| HOSTNAME               :  $HOSTNAME
---------------------------------------------------------------
|*********Please Enter your Choice:***************************|
(1) Configure the private CA server
(2) Application server certificate
(3) Revoke server certificate
(4) quit
EOF
read -p "please enter your choice:" input
case $input in
1)
    create_ca
    ;;
2)
    apply_cert
    ;;
3)
    revoke_cert
    ;;
4)
   exit 1
esac

